Commits · c150fea5354468a61be263ab745ddf652c6184d3 · fact-depend / kernel-hardening-checker

22 Oct, 2022 2 commits
- Update the self-protection checks adopted by KSPP (part III) · c150fea5
```
Thanks to @kees
```
  Alexander Popov authored Oct 23, 2022
  c150fea5 Browse Files
- Update the KSPP recommendations again · e8a2c606
  Alexander Popov authored Oct 22, 2022
  
  e8a2c606 Browse Files
13 Oct, 2022 6 commits

Update the self-protection checks adopted by KSPP (part II) · ef4a19b8
```
Thanks to @kees
```
Alexander Popov authored Oct 13, 2022
ef4a19b8 Browse Files
Update the self-protection checks adopted by KSPP (part I) · 3c9d3fcb
```
Thanks to @kees
```
Alexander Popov authored Oct 13, 2022
3c9d3fcb Browse Files

Update the HW_RANDOM_TPM check · 0ac5fe30

Clip OS says that RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be
disabled if HW_RANDOM_TPM is enabled. The Clip OS description:
  Do not credit entropy included in Linux’s entropy pool when generated
  by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware.
  Fast and robust initialization of Linux’s CSPRNG is instead achieved
  thanks to the TPM’s HWRNG.

At the same time KSPP recommends to enable RANDOM_TRUST_BOOTLOADER and
RANDOM_TRUST_CPU anyway:
  Get as much entropy as possible from external sources. The Chacha mixer
  isn't vulnerable to injected entropy, so even malicious sources
  should not cause problems.

In this situation, I think kconfig-hardened-check should check
only HW_RANDOM_TPM (there is no contradiction about it)
and leave the decision about RANDOM_TRUST_BOOTLOADER and
RANDOM_TRUST_CPU to the owner of the system.

authored Oct 13, 2022

0ac5fe30 Browse Files

Update the UBSAN checks according to the KSPP recommendations · 1d2addd4
```
Thanks to @kees
```
Alexander Popov authored Oct 13, 2022
1d2addd4 Browse Files
Update the security policy checks adopted by KSPP · f6079ab5
```
Thanks to @kees
```
Alexander Popov authored Oct 13, 2022
f6079ab5 Browse Files
Update the KSPP recommendations · 86ca2053
Alexander Popov authored Oct 13, 2022

86ca2053 Browse Files

12 Oct, 2022 1 commit
- Improve the README · 20e1c977
  Alexander Popov authored Oct 12, 2022
  
  20e1c977 Browse Files
09 Oct, 2022 9 commits
- Update the README · e5525cb1
  Alexander Popov authored Oct 10, 2022
  
  e5525cb1 Browse Files
- Drop some of my security policy recommendations · 57eb7658
  Alexander Popov authored Oct 10, 2022
  
  57eb7658 Browse Files
- Check SECURITY_SELINUX_DEVELOP (recommended by Clip OS) · 89acc36f
```
Clip OS description: it "will eventually be n".
```
  Alexander Popov authored Oct 09, 2022
  89acc36f Browse Files
- Check SECURITY_SELINUX_BOOTPARAM (recommended by Clip OS) · ffee218d
  Alexander Popov authored Oct 09, 2022
  
  ffee218d Browse Files
- Improve the HW_RANDOM_TPM check · 5d58ae21
```
RANDOM_TRUST_BOOTLOADER and RANDOM_TRUST_CPU should be disabled if
HW_RANDOM_TPM is enabled.

The Clip OS description:
Do not credit entropy included in Linux’s entropy pool when generated
by the CPU manufacturer’s HWRNG, the bootloader or the UEFI firmware.
Fast and robust initialization of Linux’s CSPRNG is instead achieved
thanks to the TPM’s HWRNG.
```
  Alexander Popov authored Oct 09, 2022
  5d58ae21 Browse Files
- Check COREDUMP (recommended by Clip OS) · 7f9ca336
```
Disabling COREDUMP is needed for cutting userspace attack surface.
```
  Alexander Popov authored Oct 09, 2022
  7f9ca336 Browse Files
- Check CONFIG_HW_RANDOM_TPM (recommended by Clip OS) · bd7e735d
  Alexander Popov authored Oct 09, 2022
  
  bd7e735d Browse Files
- Check X86_MCE, X86_MCE_INTEL, X86_MCE_AMD (recommended by Clip OS) · 0a21c2cc
```
These options are enabled by default.
```
  Alexander Popov authored Oct 09, 2022
  0a21c2cc Browse Files
- Improve the README · fb49a542
  Alexander Popov authored Oct 09, 2022
  
  fb49a542 Browse Files
07 Oct, 2022 1 commit
- Update the README · 861e2ebe
  Alexander Popov authored Oct 05, 2022
  
  861e2ebe Browse Files
02 Oct, 2022 8 commits
- Also check 'nospectre_v2' with 'spectre_v2' · 899752c1
  Alexander Popov authored Oct 02, 2022
  
  899752c1 Browse Files
- Change the reason for the 'nopti' check · f47bd6f7
  Alexander Popov authored Oct 02, 2022
  
  f47bd6f7 Browse Files
- Change the reason for the 'nokaslr' check · 005306ec
```
KASLR is enabled by default.
```
  Alexander Popov authored Oct 02, 2022
  005306ec Browse Files
- Add the 'spectre_v2' check · 9c57a383
```
Don't normalize this cmdline option.
```
  Alexander Popov authored Oct 02, 2022
  9c57a383 Browse Files
- Add the 'nospectre_v2' check · d2ef2d8d
  Alexander Popov authored Oct 02, 2022
  
  d2ef2d8d Browse Files
- Change the reason for the 'nosmep' and 'nosmap' checks · 097c0912
```
SMEP and SMAP are enabled by default.
```
  Alexander Popov authored Oct 02, 2022
  097c0912 Browse Files
- Add the 'nospectre_v1' check · 205a1423
  Alexander Popov authored Oct 02, 2022
  
  205a1423 Browse Files
- Add the 'nopti' check · 40a359fa
  Alexander Popov authored Oct 02, 2022
  
  40a359fa Browse Files
24 Sep, 2022 2 commits

Add the comments: CC_IS_GCC and CC_IS_CLANG exist since v4.18 · da3daebd
Alexander Popov authored Sep 25, 2022

da3daebd Browse Files

Add the UBSAN_LOCAL_BOUNDS check for Clang build · f958a9d7

Explanations from the Linux kernel commit 6a6155f664e31c9be43cd:

When the kernel is compiled with Clang, -fsanitize=bounds expands to
-fsanitize=array-bounds and -fsanitize=local-bounds.

Enabling -fsanitize=local-bounds with Clang has the side-effect of
inserting traps.

That's why UBSAN_LOCAL_BOUNDS can enable the 'local-bounds' option
only when UBSAN_TRAP is enabled.

authored Sep 25, 2022

f958a9d7 Browse Files

18 Sep, 2022 1 commit

Update the links to AOSP and GKI · a4e54de7

Android Open Source Project (AOSP):
https://source.android.com/docs/setup/build/building-kernels

Android Generic Kernel Image (GKI):
https://source.android.com/docs/core/architecture/kernel/gki-release-builds

Also add the GKI config `android13-5.10`.

Thanks to @h0t for the idea.

authored Sep 18, 2022

a4e54de7 Browse Files

02 Sep, 2022 9 commits
- Update the README · 333af009
  Alexander Popov authored Sep 02, 2022
  
  333af009 Browse Files
- Detect the compiler used for the kernel compilation · fea07508
  Alexander Popov authored Sep 02, 2022
  
  fea07508 Browse Files
- Don't use CONFIG_CC_IS_GCC in the checks (it was introduced only in v4.18) · f5810766
  Alexander Popov authored Sep 02, 2022
  
  f5810766 Browse Files
- Move get-nix-kconfig.py to kconfig_hardened_check/config_files/distros · bb9f2865
```
This script is still waiting for fixes from NixOS folks:
  Issue #63
  PR #64
```
  Alexander Popov authored Sep 02, 2022
  bb9f2865 Browse Files
- Fix the X86_SMAP check: it is enabled by default since v5.19 · b9d4e555
```
Refers to the issue #71
```
  Alexander Popov authored Sep 02, 2022
  b9d4e555 Browse Files
- Check the nosmap and nosmep cmdline parameters · 9f90a30a
  Alexander Popov authored Sep 02, 2022
  
  9f90a30a Browse Files
- Adapt the RANDSTRUCT checks to the changes in Linux 5.19 · 6ae70f5e
```
Refers to the issue #71
```
  Alexander Popov authored Sep 02, 2022
  6ae70f5e Browse Files
- Fix the comment: SHADOW_CALL_STACK is now available for gcc (Linux 5.18) · 44449903
  Alexander Popov authored Sep 02, 2022
  
  44449903 Browse Files
- Add the SECURITY_LANDLOCK recommendation by KSPP · 9a42a432
  Alexander Popov authored Sep 02, 2022
  
  9a42a432 Browse Files
23 Aug, 2022 1 commit
- Check the nokaslr cmdline parameter · a5fc48e4
  Alexander Popov authored Aug 23, 2022
  
  a5fc48e4 Browse Files